b"OFFICE OF           Report of Evaluation \n\nINSPECTOR GENERAL\n                              OIG 2010 Evaluation of the\n                             Farm Credit Administration\xe2\x80\x99s\n                                     Compliance with the\n                             Federal Information Security\n                                        Management Act\n\n                                     November 15, 2010\n\n\n                            E-10-01\n\n                          Tammy Rapp\n                        Auditor-in-Charge\n\n\n\n\n                    FARM CREDIT ADMINISTRATION\n\x0cMemorandum\t                                                          Farm Credit Administration\n                                                                     1501 Farm Credit Drive\n                                                                     McLean, Virginia 22102-5090\n\n\n\n\nNovember 15, 2010\n\n\nThe Honorable Leland A. Strom, Chairman and Chief Executive Officer\nThe Honorable Kenneth A. Spearman, Board Member\nThe Honorable Jill Long Thompson, Board Member\nFarm Credit Administration\n1501 Farm Credit Drive\nMcLean, Virginia 22102-5090\n\nDear Chairman Strom and Board Members Spearman and Long Thompson:\n\nThe Office of the Inspector General completed the 2010 independent evaluation of the Farm Credit\nAdministration\xe2\x80\x99s compliance with the Federal Information Security Management Act (FISMA). The\nobjectives of this evaluation were to perform an independent assessment of FCA\xe2\x80\x99s information\nsecurity program and assess FCA\xe2\x80\x99s compliance with FISMA.\n\nThe results of our evaluation revealed that FCA has an effective information security program, and\nwe did not identify any significant deficiencies in the Agency\xe2\x80\x99s information security program. We did\nnote one area where improvement can be made, and the Office of Management Services (OMS)\nagreed to take action on our proposed recommendation. As a result, the recommendation has\nbeen changed to an agreed-upon action as follows:\n\n\xe2\x80\xa2\t OMS will develop an action plan to guide the Agency in achieving compliance with the\n   United States Government Configuration Baseline.\n\nWe appreciate the courtesies and professionalism extended to the evaluation staff. If you have any\nquestions about this evaluation, I would be pleased to meet with you at your convenience.\n\nRespectfully,\n\n\n\n\nCarl A. Clinefelter\nInspector General\n\x0cFarm Credit Administration\n\nOffice of Inspector General \n\n                                November 15, 2010\n                                                    1\n\x0c\xef\x82\xa7    Introduction and Background\n\xef\x82\xa7    Objectives, Scope, and Methodology\n\xef\x82\xa7    Overall Conclusion\n\xef\x82\xa7    Areas Evaluated by Offices of Inspector General (OIG) During FY 2010\n    1.  Certification and Accreditation Program\n    2. Security Configuration Management\n    3. Incident Response and Reporting Program\n    4. Security Training Program\n    5. Plans of Actions and Milestones (POA&M) Program\n    6. Remote Access Program\n    7. Account and Identity Management Program\n    8. Continuous Monitoring Program\n    9. Contingency Planning Program\n    10. Agency Program to Oversee Contractor Systems\n\xef\x82\xa7    Appendix A: IG Section Report for Office of Management and Budget (OMB)\n\n\n\n\n                          Report #E-10-01 OIG Evaluation: FISMA 2010           2\n\x0c\xef\x82\xa1   The President signed into law the E-Government Act (Public Law 107-347), which includes\n    Title III, Information Security, on December 17, 2002. Title III permanently reauthorized the\n    Government Information Security Reform Act of 2000 and renamed it the Federal\n    Information Security Management Act (FISMA) of 2002. The purpose of FISMA was to\n    strengthen the security of the Federal government\xe2\x80\x99s information systems and develop\n    minimum standards for agency systems.\n\xef\x82\xa1   FISMA requires an agency\xe2\x80\x99s Chief Information Officer (CIO) and OIG to conduct annual\n    assessments of the agency\xe2\x80\x99s information security program.\n\xef\x82\xa1   OMB issued Memorandum M-10-15, FY 2010 Reporting Instructions for the FISMA and\n    Agency Privacy Management, on April 21, 2010. This memorandum provides instructions\n    for complying with FISMA\xe2\x80\x99s annual reporting requirements and reporting on the agency\xe2\x80\x99s\n    privacy management program. OMB made significant changes to this year\xe2\x80\x99s reporting\n    metrics for the CIO, Privacy Officer, and OIG.\n\xef\x82\xa1   Results of the CIO and OIG assessments are reported to the OMB thru CyberScope.\n\xef\x82\xa1   Appendix A contains the IG Section Report as submitted to OMB thru CyberScope.\n\n\n\n\n                         Report #E-10-01 OIG Evaluation: FISMA 2010                                 3\n\x0c\xef\x82\xa1   The objectives of this evaluation were to perform an independent assessment of the Farm\n    Credit Administration\xe2\x80\x99s (FCA or Agency) information security program and assess FCA\xe2\x80\x99s\n    compliance with FISMA.\n\xef\x82\xa1   The scope of this evaluation covered FCA\xe2\x80\x99s Agency-owned and contractor operated\n    information systems of record as of September 30, 2010. FCA is a single program Agency\n    with seven mission critical systems.\n\xef\x82\xa1   The evaluation covered the ten areas identified by OMB for OIGs to evaluate.\n\xef\x82\xa1   Key criteria used to evaluate FCA\xe2\x80\x99s information security program and compliance with\n    FISMA included OMB guidance, National Institute of Standards and Technology (NIST)\n    Special Publications (SP), and Federal Information Processing Standards Publications\n    (FIPS).\n\xef\x82\xa1   In performing this evaluation, we performed the following steps:\n    \xef\x82\xa7   Identified and reviewed Agency policies and procedures related to information security;\n    \xef\x82\xa7   Examined documentation relating to the Agency\xe2\x80\x99s information security program and compared to NIST standards\n        and FCA policy;\n    \xef\x82\xa7   Conducted interviews with the CIO and other key personnel;\n    \xef\x82\xa7   Built on our understanding from past FISMA evaluations;\n    \xef\x82\xa7   Observed security related activities performed by Agency personnel; and\n    \xef\x82\xa7   Performed tests for a subset of controls.\n\n\n\n\n                              Report #E-10-01 OIG Evaluation: FISMA 2010                                              4\n\x0c\xef\x82\xa1       This evaluation represents the status of the information security program as of\n        September 30, 2010, and did not include a test of all information security controls.\n\xef\x82\xa1       The evaluation was performed at FCA Headquarters in McLean, Virginia, from\n        September 2010 through November 2010.\n\xef\x82\xa1       Observations and results were presented to key information technology (IT) personnel\n        throughout the evaluation. On November 9, 2010, the CIO and OIG shared and discussed\n        drafts of their respective FISMA section reports.\n\xef\x82\xa1       An exit conference was conducted with management officials on November 10, 2010.\n\xef\x82\xa1       This evaluation was performed in accordance with the former President\xe2\x80\x99s Council on\n        Integrity and Efficiency\xe2\x80\x99s1 Quality Standards for Inspections .\n\n\n\n\n1 The\n    PCIE was abolished by the Inspector General Reform Act of 2008 and replaced by the Council of the Inspectors General on Integrity and Efficiency (CIGIE).\nCIGIE is now in the process of reviewing the Quality Standards for Inspections for any needed changes and will reissue them in the future under CIGIE\xe2\x80\x99s authorship.\n\n\n\n\n                                                 Report #E-10-01 OIG Evaluation: FISMA 2010                                                                           5\n\x0c\xef\x82\xa1   FCA has an effective information security program that continues to mature and contains\n    the following elements:\n    \xef\x82\xa7   Information security policies and procedures\n    \xef\x82\xa7   Capital planning and investment process that incorporates information security requirements\n    \xef\x82\xa7   Enterprise architecture that ensures IT investments support core business functions and provides security standards\n    \xef\x82\xa7   Risk based approach to information security\n    \xef\x82\xa7   Systems categorized based on risk\n    \xef\x82\xa7   Security plans that are reviewed and revised regularly\n    \xef\x82\xa7   Risk based security controls implemented\n    \xef\x82\xa7   Security authorization process\n    \xef\x82\xa7   Common security configuration\n    \xef\x82\xa7   Continuous monitoring\n    \xef\x82\xa7   Security awareness program\n    \xef\x82\xa7   Continuity of operations plan and tests\n    \xef\x82\xa7   Incident response program\n\xef\x82\xa1   Engaged CIO, and experienced and well trained IT team\n\xef\x82\xa1   CIO and IT team are proactive in their approach to information security\n\xef\x82\xa1   The IT team was very responsive to minor suggestions made for improvement during the\n    FISMA evaluation, and in many cases, the IT staff made immediate changes to strengthen\n    the information security program where possible.\n                               Report #E-10-01 OIG Evaluation: FISMA 2010                                                     6\n\x0c\xef\x82\xa1   Of the 10 areas OMB required OIGs to evaluate during 2010, FCA has established a program\n    in 9 of the areas that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s requirements.\n\xef\x82\xa1   Although 1 area needing improvement resulted in an agreed-upon action, FCA has\n    compensating controls in place to minimize the likelihood of an adverse event.\n\n\n\n\n                        Report #E-10-01 OIG Evaluation: FISMA 2010                             7\n\x0c\xef\x82\xa1   FCA established and maintained a certification and accreditation program that is generally\n    consistent with NIST's and OMB's FISMA requirements. The certification and accreditation\n    program includes the following elements:\n    \xef\x82\xa7   The Agency\xe2\x80\x99s policy states the general support system and major applications will operate with proper accreditation\n        and undergo recertification every 3 years or when a major system change occurs.\n    \xef\x82\xa7   Accreditation boundaries defined in security plans\n    \xef\x82\xa7   Information systems categorized based on FIPS 199 and SP 800-60\n    \xef\x82\xa7   Security plans based on risk that identify minimum baseline controls selected, documented, and implemented\n    \xef\x82\xa7   Periodic assessments of controls through a combination of continuous monitoring, self-assessments, independent\n        penetration tests, and security certifications\n    \xef\x82\xa7   Authorizing official considers items identified during the certification process and ensures appropriate action will be\n        taken before signing the \xe2\x80\x9cAuthorization to Operate\xe2\x80\x9d\n\n\n\n\n                               Report #E-10-01 OIG Evaluation: FISMA 2010                                                         8\n\x0c\xef\x82\xa1   The Agency has established and is maintaining a security configuration management\n    program. However, the Agency needs to make improvements.\n\xef\x82\xa1   FCA\xe2\x80\x99s security configuration management program includes the following attributes:\n    \xef\x82\xa7   Documented policies and procedures for configuration management\n    \xef\x82\xa7   Standard baseline configuration for workstations and servers\n    \xef\x82\xa7   Regular scanning for compliance and vulnerabilities within the baseline configuration\n    \xef\x82\xa7   Process for timely and secure installation of software patches\n    \xef\x82\xa7   Monitors and analyzes critical security alerts to determine potential impact to FCA systems\n\xef\x82\xa1    However, FCA has not implemented the Federal Desktop Core Configuration (FDCC) and\n     not fully documented all deviations. The FDCC provides the baseline security settings that\n     Federal agencies are required to implement and was replaced in May 2010 by the United\n     States Government Configuration Baseline (USGCB).\n    \xef\x82\xa7 Agreed-upon Action:\n            1.\t FCA should develop an action plan to guide the Agency in achieving compliance\n                with the FDCC/USGCB. The action plan should address the following:\n               \xef\x82\xad    Schedule for completion with key milestones\n               \xef\x82\xad    Adopt remaining FDCC/USGCB settings and document approved deviations\n               \xef\x82\xad    Periodically monitor compliance with the FDCC/USGCB and approved deviations\n\n\n                               Report #E-10-01 OIG Evaluation: FISMA 2010                             9\n\x0c\xef\x82\xa1   The Agency has established and is maintaining an incident response and reporting program\n    that is generally consistent with NIST's and OMB's FISMA requirements. The incident\n    response and reporting program includes the following elements:\n    \xef\x82\xa7   Documented policies and procedures, security awareness training and articles, wallet cards with help desk contact\n        information, and a 24 hour Helpline for incidents are available to employees needing incident assistance.\n    \xef\x82\xa7   Agency staff must report within one hour to the OMS Helpline any IT equipment, personally identifiable information\n        (PII), or sensitive information that is suspected to be missing, lost, or stolen.\n    \xef\x82\xa7   During FY 2010, incidents included instances of malware on laptops, unauthorized USB devices, lost HSPD 12 cards,\n        smart phones, and laptops.\n    \xef\x82\xa7   An analysis was performed for each incident before responding appropriately and timely to minimize further damage.\n    \xef\x82\xa7   A log was maintained of security incidents, and appropriate officials were notified depending on the nature of the\n        incident.\n\n\n\n\n                              Report #E-10-01 OIG Evaluation: FISMA 2010                                                     10\n\x0c\xef\x82\xa1   The Agency has established and is maintaining a security training program that is generally\n    consistent with NIST's and OMB's FISMA requirements. The security training program\n    includes the following elements:\n    \xef\x82\xa7   Ongoing IT security awareness program\n    \xef\x82\xa7   Mandatory annual security awareness training for employees and contractors using small group sessions\n        \xe2\x96\xaa   Reminded employees and contractors of their responsibilities\n        \xe2\x96\xaa   E-mail confidentiality footers\n        \xe2\x96\xaa   Encrypted e-mail\n        \xe2\x96\xaa   Web 2.0\n        \xe2\x96\xaa   Peer-to-peer file sharing\n        \xe2\x96\xaa   Phishing\n        \xe2\x96\xaa   Incident reporting\n        \xe2\x96\xaa   Preparing for 2-factor authentication\n        \xe2\x96\xaa   Periodically sent e-mails and news alerts that contain security tips and notices of new threats\n        \xe2\x96\xaa   IT Security Specialist made a presentation at the new employee orientation\n    \xef\x82\xa7   New employees and contractors required to certify they have read and understood FCA\xe2\x80\x99s computer security policies\n        and responsibilities\n    \xef\x82\xa7   When revised security policies are issued, all users will recertify their understanding of the revised polices\n    \xef\x82\xa7   Individual development plan (IDP) process used to identify specialized training for users with significant security\n        responsibilities\n    \xef\x82\xa7   Identification and tracking of employees requiring security training\n\n\n\n                                   Report #E-10-01 OIG Evaluation: FISMA 2010                                                 11\n\x0c\xef\x82\xa1   The Agency has established and is maintaining a POA&M program that is generally\n    consistent with NIST's and OMB's FISMA requirements and tracks and monitors known\n    information security weaknesses. The POA&M program includes the following elements:\n    \xef\x82\xa7   Policy for developing plans of action and milestones\n    \xef\x82\xa7   Process for developing plans of corrective action for significant information security weaknesses and tracking their\n        implementation\n    \xef\x82\xa7   Compensating controls currently in place until outstanding items are remediated\n\n\n\n\n                               Report #E-10-01 OIG Evaluation: FISMA 2010                                                      12\n\x0c\xef\x82\xa1   The Agency has established and is maintaining a remote access program that is generally\n    consistent with NIST's and OMB's FISMA requirements. The remote access program\n    includes the following elements:\n    \xef\x82\xa7   Virtual private network (VPN) provides for secure encrypted transmission of data outside of the Agency\xe2\x80\x99s network\n    \xef\x82\xa7   Encryption on local hard drives and USB drives used to protect sensitive data and PII\n    \xef\x82\xa7   CD/DVD writing is disabled\n    \xef\x82\xa7   Remote contractor access for diagnostic purposes tightly controlled and closely supervised by IT staff\n\n\n\n\n                              Report #E-10-01 OIG Evaluation: FISMA 2010                                                   13\n\x0c\xef\x82\xa1   The Agency has established and is maintaining an account and identity management\n    program that is generally consistent with NIST's and OMB's FISMA requirements and\n    identifies users and network devices. The account and identity management program\n    includes the following elements:\n    \xef\x82\xa7   Documented policies and procedures for requesting, issuing, and closing information system accounts\n    \xef\x82\xa7   Identifies and authenticates information system users and devices before allowing access\n    \xef\x82\xa7   Information system accounts created, managed, monitored, and disabled by authorized personnel\n    \xef\x82\xa7   Periodic review of information system accounts to ensure access permissions provided to users is current and\n        appropriate\n    \xef\x82\xa7   Controls to prevent, detect or notify authorized personnel of suspicious account activity or devices\n    \xef\x82\xa7   Planning and preparation for dual-factor authentication with the roll-out of new laptops during 2011\n\n\n\n\n                              Report #E-10-01 OIG Evaluation: FISMA 2010                                               14\n\x0c\xef\x82\xa1   The Agency has established an entity-wide continuous monitoring program that assesses\n    the security state of information systems that is generally consistent with NIST's and\n    OMB's FISMA requirements. The continuous monitoring program includes the following\n    elements:\n    \xef\x82\xa7   Infrastructure Security Plan and Management Control Plan reflect continuous monitoring strategy\n    \xef\x82\xa7   Malicious code protection\n    \xef\x82\xa7   Vulnerability scanning\n    \xef\x82\xa7   Log monitoring\n    \xef\x82\xa7   Notification of unauthorized devices\n    \xef\x82\xa7   Notification of changes or additions to sensitive accounts\n    \xef\x82\xa7   Ongoing monitoring of security alerts and updates from vendors and appropriate action in response\n    \xef\x82\xa7   Commitment to annual independent penetration test\n\n\n\n\n                              Report #E-10-01 OIG Evaluation: FISMA 2010                                    15\n\x0c\xef\x82\xa1   The Agency established and is maintaining an entity-wide business continuity/disaster\n    recovery program that is generally consistent with NIST's and OMB's FISMA requirements.\n    The contingency planning program includes the following elements:\n    \xef\x82\xa7   FCA committed resources to ensure the continuity of operations of essential functions in emergency situations\n    \xef\x82\xa7   Business continuity plan and disaster recovery plan were developed and periodically updated to support the\n        restoration of operations and systems after a disruption or failure\n    \xef\x82\xa7   Alternative processing site and essential systems successfully activated during a government wide test\n    \xef\x82\xa7   Backup strategy includes daily and weekly backups of data and systems\n    \xef\x82\xa7   Two off-site storage facilities for backups\n    \xef\x82\xa7   Disaster recovery kit maintained offsite that contains critical software needed to recreate systems\n    \xef\x82\xa7   Employee notification system used to alert employees of office closing and other events\n    \xef\x82\xa7   Many FCA employees successfully continued to work remotely from their homes when the office was closed during a\n        snow emergency\n\n\n\n\n                             Report #E-10-01 OIG Evaluation: FISMA 2010                                                   16\n\x0c\xef\x82\xa1   The Agency has established and maintains a program to oversee systems operated on its\n    behalf by contractors. The contractor system oversight program includes the following\n    elements:\n    \xef\x82\xa7   Memorandum of Understanding, Interconnect Service Agreement, Contract, or Agreement for all contractor systems\n        and interconnections\n    \xef\x82\xa7   Updates inventory of contractor systems and interconnections annually\n    \xef\x82\xa7   Reviews and updates security plans for contractor systems annually\n    \xef\x82\xa7   Performed due diligence reviews and monitored security controls for outsourced systems\n    \xef\x82\xa7   Performed site visits to review security documentation and verify financial and personnel system providers employed\n        adequate security measures to protect information, applications, and services\n    \xef\x82\xa7   Periodically reviewed user accounts and privileges\n\n\n\n\n                              Report #E-10-01 OIG Evaluation: FISMA 2010                                                      17\n\x0c              Inspector General                                                                      2010\n                                                                                                    Annual FISMA\n                                                                                                       Report\n              Section Report\n\n\n\n\n                                                       Farm Credit Administration\n\n\n\n\n                                                             Printed: November 10, 2010, 10:06 am\n\nReport #E-10-1 OIG Evaluation: FISMA 2010 Appendix A\n\x0cSection 1: Status of Certification and Accreditation Program\n1.        Selected response is:\n          a. The Agency has established and is maintaining a certification and accreditation program that is generally consistent with NIST's\n          and OMB's FISMA requirements. Although improvement opportunities may have been identified by the OIG, the program includes\n          the following attributes:\n                     1. Documented policies and procedures describing the roles and responsibilities of participants in the certification and\n          accreditation process.\n                     2. Establishment of accreditation boundaries for agency information systems.\n                     3. Categorizes information systems.\n                     4. Applies applicable minimum baseline security controls.\n                     5. Assesses risks and tailors security control baseline for each system.\n                     6. Assessment of the management, operational, and technical security controls in the information system.\n                     7. Risks to Agency operations, assets, or individuals analyzed and documented in the system security plan, risk\n          assessment, or an equivalent document.\n                     8. The accreditation official is provided (i) the security assessment report from the certification agent providing the results\n          of the independent assessment of the security controls and recommendations for corrective actions; (ii) the plan of action and\n          milestones from the information system owner indicating actions taken or planned to correct deficiencies in the controls and to reduce\n          or eliminate vulnerabilities in the information system; and (iii) the updated system security plan with the latest copy of the risk\n          assessment.\n\nSection 2: Status of Security Configuration Management\n2.        Selected response is:\n          b. The Agency has established and is maintaining a security configuration management program. However, the Agency needs to\n          make significant improvements as noted below.\n          2a.        Areas for Improvement:\n                     2a(1).    Configuration management policy is not fully developed.\n                                No\n                     2a(2).    Configuration management procedures are not fully developed or consistently implemented.\n                                No\n                     2a(3).    Software inventory is not complete (NIST 800-53: CM-8).\n                                No\n\nOIG Report - Annual 2010                                                                                                                               Page 1 of 6\nReport #E-10-1 OIG Evaluation: FISMA 2010 Appendix A                        For Official Use Only\n\x0cSection 2: Status of Security Configuration Management\n                     2a(4).    Standard baseline configurations are not identified for all software components (NIST 800-53: CM-8).\n                                No\n                     2a(5).    Hardware inventory is not complete (NIST 800-53: CM-8).\n                                No\n                     2a(6).    Standard baseline configurations are not identified for all hardware components (NIST 800-53: CM-2).\n                                No\n                     2a(7).    Standard baseline configurations are not fully implemented (NIST 800-53: CM-2).\n                                No\n                     2a(8).    FDCC is not fully implemented (OMB) and/or all deviations are not fully documented.\n                                Yes\n                                         Comments:     FCA is in the process of consolidating FDCC and existing group policies to eliminate any redundancy in the group\n                                                       policies. FCA has agreed to develop an action plan to guide the Agency in achieving compliance with the\n                                                       FDCC/USGCB.\n                     2a(9).    Software scanning capabilities are not fully implemented (NIST 800-53: RA-5, SI-2).\n                                No\n                     2a(10). Configuration-related vulnerabilities have not been remediated in a timely manner (NIST 800-53: CM-4, CM-6, RA-5, SI-2).\n                                No\n                     2a(11). Patch management process is not fully developed (NIST 800-53: CM-3, SI-2).\n                                No\n                     2a(12). Other\n                                No\n3.        Identify baselines reviewed:\n           Operating System\n           Microsoft Windows Vista Enterprise Edition\n\nSection 3: Status of Incident Response & Reporting Program\n4.        Selected response is:\n\nOIG Report - Annual 2010                                                                                                                                            Page 2 of 6\nReport #E-10-1 OIG Evaluation: FISMA 2010 Appendix A                          For Official Use Only\n\x0cSection 3: Status of Incident Response & Reporting Program\n          a. The Agency has established and is maintaining an incident response and reporting program that is generally consistent with NIST's\n          and OMB's FISMA requirements. Although improvement opportunities may have been identified by the OIG, the program includes\n          the following attributes:\n                    1. Documented policies and procedures for responding and reporting to incidents.\n                    2. Comprehensive analysis, validation and documentation of incidents.\n                    3. When applicable, reports to US-CERT within established timeframes.\n                    4. When applicable, reports to law enforcement within established timeframes.\n                    5. Responds to and resolves incidents in a timely manner to minimize further damage.\n\nSection 4: Status of Security Training Program\n5.        Selected response is:\n          a. The Agency has established and is maintaining a security training program that is generally consistent with NIST's and OMB's\n          FISMA requirements. Although improvement opportunities may have been identified by the OIG, the program includes the following\n          attributes:\n          1. Documented policies and procedures for security awareness training.\n          2. Documented policies and procedures for specialized training for users with significant information security responsibilities.\n          3. Appropriate training content based on the organization and roles.\n          4. Identification and tracking of all employees with login privileges that need security awareness training.\n          5. Identification and tracking of employees without login privileges that require security awareness training.\n          6. Identification and tracking of all employees with significant information security responsibilities that require specialized training.\n\nSection 5: Status of Plans of Actions & Milestones (POA&M) Program\n6.        Selected response is:\n          a. The Agency has established and is maintaining a POA&M program that is generally consistent with NIST's and OMB's FISMA\n          requirements and tracks and monitors known information security weaknesses. Although improvement opportunities may have been\n          identified by the OIG, the program includes the following attributes:\n                    1. Documented policies and procedures for managing all known IT security weaknesses.\n                    2. Tracks, prioritizes and remediates weaknesses.\n                    3. Ensures remediation plans are effective for correcting weaknesses.\n                    4. Establishes and adheres to reasonable remediation dates.\n                    5. Ensures adequate resources are provided for correcting weaknesses.\n                    6. Program officials and contractors report progress on remediation to CIO on a regular basis, at least quarterly, and the\nOIG Report - Annual 2010                                                                                                                              Page 3 of 6\nReport #E-10-1 OIG Evaluation: FISMA 2010 Appendix A                       For Official Use Only\n\x0cSection 5: Status of Plans of Actions & Milestones (POA&M) Program\n          CIO centrally tracks, maintains, and independently reviews/validates the POAM activities at least quarterly.\n\nSection 6: Status of Remote Access Program\n7.        Selected response is:\n          a. The Agency has established and is maintaining a remote access program that is generally consistent with NIST's and OMB's\n          FISMA requirements. Although improvement opportunities may have been identified by the OIG, the program includes the following\n          attributes:\n                    1. Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote access.\n                    2. Protects against unauthorized connections or subversion of authorized connections.\n                    3. Users are uniquely identified and authenticated for all access.\n                    4. If applicable, multi-factor authentication is required for remote access.\n                    5. Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote electronic authentication, including\n          strength mechanisms.\n                    6. Requires encrypting sensitive files transmitted across public networks or stored on mobile devices and removable media\n          such as CDs and flash drives.\n                    7. Remote access sessions are timed-out after a maximum of 30 minutes of inactivity after which re-authentication is\n          required.\n\nSection 7: Status of Account and Identity Management Program\n8.        Selected response is:\n          a. The Agency has established and is maintaining an account and identity management program that is generally consistent with\n          NIST's and OMB's FISMA requirements and identifies users and network devices. Although improvement opportunities may have\n          been identified by the OIG, the program includes the following attributes:\n           1. Documented policies and procedures for account and identity management.\n           2. Identifies all users, including federal employees, contractors, and others who access Agency systems.\n           3. Identifies when special access requirements (e.g., multi-factor authentication) are necessary.\n           4. If multi-factor authentication is in use, it is linked to the Agency's PIV program.\n           5. Ensures that the users are granted access based on needs and separation of duties principles.\n           6. Identifies devices that are attached to the network and distinguishes these devices from users.\n           7. Ensures that accounts are terminated or deactivated once access is no longer required.\n\nSection 8: Status of Continuous Monitoring Program\n\nOIG Report - Annual 2010                                                                                                                        Page 4 of 6\nReport #E-10-1 OIG Evaluation: FISMA 2010 Appendix A                      For Official Use Only\n\x0cSection 8: Status of Continuous Monitoring Program\n9.        Selected response is:\n          a. The Agency has established an entity-wide continuous monitoring program that assesses the security state of information systems\n          that is generally consistent with NIST's and OMB's FISMA requirements. Although improvement opportunities may have been\n          identified by the OIG, the program includes the following attributes:\n                    1. Documented policies and procedures for continuous monitoring.\n                    2. Documented strategy and plans for continuous monitoring, such as vulnerability scanning, log monitoring, notification of\n          unauthorized devices, sensitive new accounts, etc.\n                    3. Ongoing assessments of selected security controls (system-specific, hybrid, and common) that have been performed based\n          on the approved continuous monitoring plans.\n                    4. Provides system authorizing officials and other key system officials with security status reports covering updates to\n          security plans and security assessment reports, as well as POA&M additions.\n\nSection 9: Status of Contingency Planning Program\n10.       Selected response is:\n          a. The Agency established and is maintaining an entity-wide business continuity/disaster recovery program that is generally consistent\n          with NIST's and OMB's FISMA requirements. Although improvement opportunities may have been identified by the OIG, the\n          program includes the following attributes:\n          1. Documented business continuity and disaster recovery policy providing the authority and guidance necessary to reduce the impact\n          of a disruptive event or disaster.\n          2. The agency has performed an overall Business Impact Assessment.\n          3. Development and documentation of division, component, and IT infrastructure recovery strategies, plans and procedures.\n          4. Testing of system specific contingency plans.\n          5. The documented business continuity and disaster recovery plans are ready for implementation.\n          6. Development of training, testing, and exercises (TT&E) approaches.\n          7. Performance of regular ongoing testing or exercising of continuity/disaster recovery plans to determine effectiveness and to\n          maintain current plans.\n\nSection 10: Status of Agency Program to Oversee Contractor Systems\n11.       Selected response is:\n          a. The Agency has established and maintains a program to oversee systems operated on its behalf by contractors or other entities.\n          Although improvement opportunities may have been identified by the OIG, the program includes the following attributes:\n           1. Documented policies and procedures for information security oversight of systems operated on the Agency's behalf by contractors\nOIG Report - Annual 2010                                                                                                                           Page 5 of 6\nReport #E-10-1 OIG Evaluation: FISMA 2010 Appendix A                      For Official Use Only\n\x0cSection 10: Status of Agency Program to Oversee Contractor Systems\n          or other entities the Agency obtains sufficient assurance that security controls of systems operated by contractors or others on its\n          behalf are effectively implemented and comply with federal and agency guidelines.\n           2. A complete inventory of systems operated on the Agency's behalf by contractors or other entities.\n           3. The inventory identifies interfaces between these systems and Agency-operated systems.\n           4. The agency requires agreements (MOUs, Interconnect Service Agreements, contracts, etc.) for interfaces between these systems\n          and those that is owns and operates.\n           5. The inventory, including interfaces, is updated at least annually.\n           6. Systems that are owned or operated by contractors or entities are subject to and generally meet NIST and OMB's FISMA\n          requirements.\n\n\n\n\nOIG Report - Annual 2010                                                                                                                         Page 6 of 6\nReport #E-10-1 OIG Evaluation: FISMA 2010 Appendix A                       For Official Use Only\n\x0c"